Risk-Based NERC Compliance: Assessing Risk to Bulk Power System Generation

Ensuring the reliability of the power system is the responsibility of many industry participants. In this POWER exclusive, one regional reliability entity, the Midwest Reliability Organization, explains its role.

In response to the 2003 Blackout—which affected parts of the U.S. Northeast and Midwest, plus portions of the Canadian province of Ontario—the U.S. Congress mandated adoption of reliability standards for the bulk power system (BPS). The North American Electric Reliability Corp. (NERC) is responsible for coordinating the development of those mandatory reliability standards (written by industry experts), which become effective with approval from the Federal Energy Regulatory Commission (FERC) in the U.S. and authorization in Canada under arrangements with each province. NERC has contracted with Midwest Reliability Organization (MRO) and seven other regional entities to be responsible for compliance, monitoring, and enforcement of the reliability standards.

Development of a Risk-Based Approach

When MRO began enforcing mandatory reliability standards in 2007, every instance of noncompliance, no matter what the risk was to reliable operations of the BPS, required a formal enforcement proceeding with a filing to FERC in the U.S. We literally made a federal case out of everything.

In addition, each year a subset of the more than 500 requirements in the reliability standards was identified to be actively monitored during the year across North America. This meant that all entities performing similar functions, regardless of size or uniqueness, would be monitored on the same set of requirements each year. A 5,000-MW generator operator (GOP) control center would be monitored for the same requirements as one controlling 100 MW with regard to control system infrastructure and security. A large generator owner (GO) with a fleet of baseload generation facilities and ownership of generator lead lines out to the transmission network would be monitored for the same requirements as a wind farm with no power delivery assets.

Today our work is informed by risk. We have a way to process minimal-risk issues without the formality of an enforcement proceeding. Entities are now eligible, based on past performance, to self-log minimal-risk items. Of course, the entities have to share a technically valid view of risk with MRO—a cornerstone of self-logging.

The greatest challenge through this transition, from a technical standpoint, is MRO developing compliance oversight based on risk—the ability to individually tailor compliance oversight for each entity, based on a technical analysis of its unique inherent risks, as well as regional and continent-wide risks (Figure 1).

1. Layers of risks. Regional reliability organizations assess risk for individual entitles based on a combination of continental, regional, and entity-specific factors. Courtesy: Midwest Reliability Organization (MRO)

Effective risk-based oversight starts with the identification of risks. We have both emerging risks, like the changing generation resource mix (Figure 2) and the asymmetrical threats of cyberattacks, in addition to understood risks, such as correct facility ratings and proper coordination between those responsible for transmission and those responsible for generation. Now NERC, through its stakeholder structure, annually produces a list of key continent-wide risks to be addressed. A few of this year’s continent-wide risks are:

2. Changing resources = changing risks. The types of power system resources on the grid, where they are located, their size, and other factors all affect individual risk profiles and how those entities are handled by reliability organizations. Courtesy: MRO

■ Cybersecurity protection of critical infrastructure, such as generation control systems.

■ Maintenance and management of assets, such as facility ratings and protection system maintenance.

■ Planning and system analysis, with a focus on capacity emergencies and the changing generation resource mix that is occurring on the grid.

Due to regional differences, as well as the fact that the North American grid is composed of four distinct interconnections, MRO performs a similar exercise to identify risks that are unique to the region or the Eastern Interconnection. This analysis is done using region-specific data such as root causes of power system events or major regional system infrastructure changes, and it is informed by trends identified through compliance monitoring. Examples of regional risks that were identified by MRO for 2016 include:

■ Implementation of facility ratings—ensuring that the maximum power flow through a facility does not violate applicable equipment ratings. For example, a generator should not be sized larger than its associated generator step-up (GSU) transformer, because at maximum generation output, the GSU would become overloaded.

■ Telecommunications infrastructure between primary and backup control centers.

■ Changes in planning coordinator and regional transmission organization (RTO) footprints within MRO.

Finally, in order to develop a customized oversight plan for an individual entity, MRO must analyze an entity’s unique risks, informed by the knowledge of continent-wide and regional risks.

Entity-specific risks are granular and require detailed analysis of entity-specific facilities, configurations, and the entity’s location on the grid. This work must be performed by technical power system and control system experts, using data such as system one-lines, generation interconnection agreements, restoration plans, and control system network diagrams. While the continent-wide and regional risk assessments are typically annual exercises and applicable to all entities, the entity-specific risk assessment is unique and must be conducted for each individual entity.

If this process is done correctly, the 5,000-MW GOP and the 100-MW GOP referenced as examples earlier would not receive the same oversight plan. Besides size, the GOP’s location on the grid is also likely different, as are the neighbors it interacts with and the depth of that interaction. One may be vertically integrated with transmission, while the other may operate but not own its own facilities. Each entity’s inherent risk is different, and a risk-based regulator should regulate them differently.

A Theoretical Example

Let’s look at an example, starting with risks and developing a customized oversight plan for a fictitious entity, Techie Generation Co. (TGC).

TGC is a 2,000-MW GO and GOP (it both owns and operates 2,000 MW of BPS generation assets). With regard to generation, the continent-wide risk examples listed earlier are all applicable. TGC operates generation, so it likely has a generation control system (a NERC-identified cybersecurity risk). TGC owns generation, so it is responsible for developing facility ratings and protecting those generation facilities from faults (NERC’s focus on maintenance and management of assets). And, because TGC owns and operates generation, it likely would have some role in responding to capacity emergencies (falling under NERC’s focus on planning and system analysis).

If TGC is located in the MRO Region, a few additional risks would be highlighted based on MRO’s identified regional risks, such as facility ratings and telecommunications infrastructure for backup control centers.

Taking the continent-wide and regional risks into consideration, TGC would then be analyzed based upon its specific facilities and configurations, a few of which would be:

■ Is any of TGC’s generation blackstart?

■ TGC’s fleet is 2,000 MW, but how big is each unit, and where is each located on the grid?

■ Who owns and operates the transmission system that TGC interconnects to, and what is the nature of that relationship? Is TGC also a transmission owner or a transmission operator?

■ Are there any remedial action schemes (RAS), such as automatic generation runback, in place? If so, how does the entire RAS work, and what is TGC’s role in that?

■ What does the network architecture of TGC’s generation control system look like? How does it receive setpoints for its generation facilities? Is the control system segregated from other internal and external networks?

The answers to these questions allow a Regional Entity like MRO to make determinations, based on entity-specific risk, as to which standards and requirements are most impactful to this entity and should be the focus of risk-based regulatory oversight. Additionally, a decision can be made as to the extent of applicability of continent-wide and regional risks to this entity.

The end result of answering these technical questions would likely culminate in an oversight plan partially represented as:

■ CIP-002-5 (Identification of BES Cyber Assets): Based upon the continent-wide risk of cybersecurity, the fact that the new Critical Infrastructure Protection Version 5 (CIP V5) standards are becoming enforceable in 2016 with new criteria for identifying cyber assets, as well as the size of this entity (2,000 MW) being such that it may have a generation control system classified as “Medium Impact,” a review of TGC’s process for identification of BES [bulk electric system] Cyber Assets is appropriate and warranted.

■ FAC-008-3 (Facility Ratings): Based upon the continent-wide risk of maintenance and management of assets, as well as the MRO regional risk of facility ratings, a review of TGC’s facility ratings would be part of its oversight plan.

Risk Assessments vs. Compliance Oversight Tools

It’s important to differentiate between the output of risk assessments and the use of compliance oversight tools. While the above standards have been identified as important for TGC based upon the continent-wide, regional, and entity-specific risks, a Regional Entity may perform oversight utilizing different compliance tools—self-certifications, spot checks, and audits.

CIP-002-5 is a good example of this. Because 2016 marks the implementation of the CIP V5 standards, the identification of cyber assets subject to the technical CIP requirements was identified as a continent-wide risk, which prompted the decision to have all Regional Entities gather and analyze this data (through data requests and, in some cases, guided self-certifications) in 2016. From a risk management standpoint, it wouldn’t make sense to wait until the next time an entity is audited to find out if it had issues with this foundational standard.

Similarly, facility ratings were identified as an issue in MRO’s region in recent years. MRO responded to this regional risk by issuing a guided self-certification of FAC-008-3 for entities within the MRO region, based upon this regional trend. MRO is not using the audit tool to evaluate either of these risks, but both CIP-002 and FAC-008 are being evaluated using a risk-based approach to compliance that is both timely and appropriately focused on specific risks.

Characteristics such as performance history or internal controls can also factor into the Regional Entity’s selection of compliance oversight tools to use for specific entities, or even subsets of compliance standards for a single entity. Just because a standard has been identified as material to an entity does not mean that it will be in an entity’s audit scope, or that it will receive any oversight; it depends on the strength of the entity’s internal controls or management practices, and on whether a region can rely upon the entity’s internal controls to the point of not having to perform oversight (or performing less oversight), even in an area that presents risk to the BPS.

The inherent risk doesn’t necessarily change, but the risk-based oversight plan adjusts to individual facts and circumstances so that oversight is appropriate and warranted.

Customized Oversight

The development of customized oversight plans is performed using analysis of continent-wide risks, regional risks, and entity-specific risks, with a relationship between those risks and the standards selected for oversight. The next step in the evolution of risk-based compliance monitoring and enforcement is consideration of the timing and frequency of oversight and selection of oversight tools based on risk.

That 5,000-MW GOP might need a visit every year (for a smaller audit focused in a certain area), while the 100-MW GOP might be able to have its oversight completely handled through self-certifications. It all depends on risk and performance. ■

—Richard Burt is vice president of risk assessment, mitigation, and standards for the Midwest Reliability Organization. Relying on his practical engineering experience at a generation and transmission cooperative, he has been instrumental in helping develop the risk-based approach at NERC and the Regional Entities.